Application Installation, Networking, & Tools

So, there's a couple of things to think about here. The first is the distribution method. And there's essentially, in the Microsoft world today, there's essentially four ways that I can get software onto your machine. I can manually install it, right, I can go to the machine with a compact disc or do it locally. [Video description begins] Manual installation options include installing the media directly on a local machine. [Video description ends] Or maybe not the disk, maybe the files are up on the network but I sit at the machine and I do it manually. [Video description begins] Manual installation options include remote installation over a network. [Video description ends]

 

Most popular, I would say, is the group policy deployment. For that, the application has to have an MSI file. Those Microsoft installer packages work with group policy to automate application installation. Third party solutions, like System Center Configuration Manager, which lets me install not just Microsoft software, but other software as well. [Video description begins] System Center Configuration Manager is abbreviated as SCCM. [Video description ends] And then finally the Microsoft Store, where I can download what they call AppX packages from.

 

So, I can perform the distribution of the application in one of these four methods. I've got to have licences for that application, right? I want to be licensed, I don't want to turn up in an audit somewhere, and then the clients that I'm installing them on must meet the prerequisites. So if the application has a requirement for memory, free disk space, right, it's going to have that certainly. I have to know that there is that much free disk space on the clients, in order to install the application. [Video description begins] Prerequisites should be installed first. [Video description ends]

 

What we will commonly do is set up a distribution share. And a distribution share is just a folder on a network location that's been shared out and it contains all the installation files, as well as all other required files. Now, what else might be required? Well, maybe the application requires a particular version of the .NET Framework. And so I want to install not just the application, but ahead of that, I want to install that particular version of the .NET Framework.

 

Now this is the important bit. For any of these distribution shares that I want to be broadly accessible to the clients in my business, there's certain permission settings that I have to have on that share. And what Microsoft recommends is that you share the folder out with everyone full control. And then you restrict the NTFS permissions to authenticated users with read, plus read and execute, permissions. They've got to have that execute permission. If they don't have the read and execute permission, they can't run the set up installer. And so it's read, and read and execute NTFS permissions.

 

Now, to minimize the impact of these application installs, there are a couple of considerations I want to have in mind. What's going to be the impact to the user during the production hours if I try to install this when there's somebody working at the machine? Is it going to be a lot of overhead? Will it run as a background? Using bits, will it run as a background intelligent transfer operation? And so it'll be minimal impact on a machine, that's what I want, right? How do I assess machine readiness? The hardware requirements, the memory requirements, the disk space requirements? Well, the application that I'm installing will give me all these specifications.

 

Now, let's say the application I'm installing requires 600 megs of free disk space. And I think to myself, well, I know that there are some machines out there that don't have 600 megs of free disk space. Well, what can I do? Well, I can write a WMI filter, and attach that to the group policy software installation, or a third party software installation mechanism. And what a WMI filter will do is it will test the machine. It will go out and it will say, what's your free disk space? And then I can write logic into that. If it's greater than 600 megs, then install the application. If it's less than 600 megs, do not install the application. And I can do targeted deployments using those WMI filters.

 

I want to use the clean source principles. That is to say, that I want to know that the installation files come from the manufacturer and have not been tampered with. That they are digitally signed. And so I can validate where I got these from, whose are these?

 

In terms of the network, what's my net available bandwidth? Do I have the bandwidth to stream this application install out to everybody? Is it going to impact the production traffic? Should I schedule it for off-hours? And if I'm installing across the WAN, I want to know that all that traffic is encrypted, and then what's the impact of that encryption overhead?

 

And then finally, you can minimize the impact of this by using, well, the Microsoft Store App's AppX files. Or you can virtualize it using the App-V technology from Microsoft. So the application isn't really installed on the machine the way we would normally think of it. It's somewhere else, maybe sitting on what we used to call terminal servers. And the processing is all happening on the terminal server, and all the client's really getting are screen scrapings.

 

Those solutions make all the rest of this pretty much go away. Because they're very lightweight solutions as opposed to a full-scale application install on the client machine.

 

In this demonstration, we'd like to take a look at the configuration of the firewall. And this is a software-implemented firewall that's built in to the Windows operating system, and has been for many generations.

 

Today though, it's a little bit different, it's been rebranded and integrated as the Windows Defender Firewall. So the anti-malware solution from Microsoft is integrated into the software implemented firewall. Now, if you're in an environment where you're using other software firewalls or physical firewalls, you may want to test the compatibility and you may want to choose to use one or the other. They're not all compatible with each other all the time.

 

This Windows Defender Security Center, which is where we're currently, is a brand-new interface that's unique to Windows 10, right? The environments never looked like this before, this is a very Windows 10 kind of look and feel to it. [Video description begins] The Windows Defender Security Center is open on the Security at a glance page. Options include Virus & threat protection, Account protection, and App & browser control. The presenter selects Firewall & network protection. The Firewall & network protection page opens. There are options to view network connections, specify firewall settings, and troubleshoot network and Internet issues. [Video description ends]

 

And if I start by launching the Firewall & network protection choice, I see three networks listed. The Public network, the Private network, and the Domain network, and I see that the Firewall is on and active on the Public network, as it is configured to be. [Video description begins] The firewall is currently listed as off for the domain and private networks. [Video description ends] And the network that I'm currently on is a Public network. [Video description begins] The public network is listed as active. [Video description ends]

 

And what does that mean, or how does the machine know it's a Public network? Well, it doesn't. I have to tell it and you've seen this when you connect, right? You're in Starbucks, or McDonald's, or the airport, you connect to the Wi-Fi, it says, is this a public or private network? And you can then tell it it's a Public network, I'm out in public, so I want the most security that I can get. I want you to shut down everything that I don't absolutely need or that I don't call for. Right out of the box, we're not going to accept any incoming connections at all. Only outgoing, and not all the responses to our outgoing request will come back through that firewall. And so we're secure in that airport or more secure in that airport.

 

With a private network, that's something like my home office, right? I'm behind my residential firewall, probably I've a VPN solution that tunnels me into the office. And so I feel pretty confident, I'm not at scaled risk for attack here in the house. And so on my home network, I specify that it's a Private network.

 

And then finally, why doesn't it ask you, are you on a Domain network? Why is that not an option you can choose? Because if there's an authentication server present, a domain controller there to authenticate the client as it starts up, to authenticate you as you log in, the machine knows that it's on the domain network. Which should be the safest of all, and therefore is likely to have the most lax policies in place, because there's other protections there.

 

Now, one of the things that we can do, and of course, out of the box, the firewall has a bunch of rules. Just the most common things that Microsoft can think of to defend the box from the emergent threats of the 21st century Internet. Those rules are there and in place, just by turning it on. Of course, you can import your own rules, create your own rules, and make exceptions to the rules.

 

So down here, there's a choice. If I look, there's this little list of settings, right? [Video description begins] He points to the links below the list of network connections. [Video description ends] Restore firewalls to default, right, what it came shipped with. And the Advanced settings, which I do want to take a look at real quickly before we finish. When does the firewall notify me? [Video description begins] He points to the Firewall notification settings link. [Video description ends] Network and Internet troubleshooter, if I'm having trouble. And here is one that everybody's going to want to know about, Allow an app through the firewall. Make an exception to the firewall rules that are in place.

 

[Video description begins] He selects the Allow an app through firewall link. The Allowed apps page of Windows Defender Firewall opens. A list of allowed apps and features displays. Each app or feature has a set of associated checkboxes to allow communication through the firewall on the domain, private, or public networks. [Video description ends]

 

And here's the list of Allowed apps. So out of the box, right, I have all these Microsoft Edge exceptions, right, or rules to allow them to come or go. Windows Cortana services, the App Installer, the Bonjour Service for my iPhone. [Video description begins] He points to some of the allowed apps and features listed. Others include Apple Push Service and Captive Portal Flow. [Video description ends]

 

Now, I've got, let's say that in the office, we use Filezilla as a kind of file sharing app. And that's the kind of thing that, okay, when you're in the office, it's safe to use, because I know the connections are only coming from your fellow employees, but outside the office, no way. So what I can do is I can click Add and Allow another app, [Video description begins] The Add an app dialog box opens. It includes options to add additional apps to the allowed apps and features list. [Video description ends] and then when this dialog box opens, it asks me for the path to that application. [Video description begins] He points to the Path text box, which is currently empty, [Video description ends]

 

So if I browse out here into the Local Disk > Program Files > Filezilla, [Video description begins] He clicks the Browse button associated with the Path text box. A Browse dialog box opens. [Video description ends] there's the executable. I can select the executable. [Video description begins] He selects the filezilla.exe file in the FileZilla FTP Client folder and clicks Open. The file displays in the Apps list of the Add an app dialog box. [Video description ends] And then there's a Network Types choice at the bottom here. [Video description begins] He clicks the Network types button. The Choose Network Types dialog box opens. It includes options to decide which networks the app can communicate through the firewall on. [Video description ends]

 

I want this rule to apply only when it's on the domain. Because that's the only safe place to allow these kinds of FTP connections. [Video description begins] He selects the Domain checkbox. There are also checkboxes for Private and Public. [Video description ends] If you're at home, if you're in public, it doesn't work. [Video description begins] He clicks OK to close the Choose Network Types dialog box. [Video description ends] This is only going to work inside the office and I hit Add. [Video description begins] He clicks Add on the Add an app dialog box. The dialog box closes and the FileZilla FTP Client is added to the Allowed apps and features list. [Video description ends]

 

Now I want to point out to you, from this dialog box that opened in the Windows Defender Firewall, Windows 10 applet. If I choose Windows Defender Firewall up here now, this looks quite different than what we were just looking at because this is a more traditional interface, right? Still of recent design but not like it has been. [Video description begins] He selects Windows Defender Firewall in the breadcrumb navigation bar. The Windows Defender Firewall options display in the control panel interface. [Video description ends]

 

And so I want to point out to you that if you go into this thing through the Control Panel, this is what you see, but if you go into the Windows Defender Security Center, you see the other one. And don't be confused by that or don't let that throw you off. It's all the same choices, it's all the same settings, everything is really very much the same, it just looks different, the look and feel is different.

 

And so over here on the left now is that same list we saw at the bottom [Video description begins] He points to the links in the navigation pane. [Video description ends] and I want to take a look real quick at the Advanced settings. [Video description begins] He selects Advanced settings. The Windows Defender Firewall with Advanced Security window opens. It includes overview and getting started information, as well as an Actions pane, which has options to import and export policies. [Video description ends]

 

Now, beyond the scope of this course is what's in here. This is where I get the fine-grained ability to specify not just an application by its path, but a port number or a series of port numbers, or the entire ephemeral port range as an exception to my rules. Or as a new rule to block, and I'll block them all. I can define connection security rules, which tell me when and who can connect to this machine. Or will accept connections from the outside world to this machine, or will allow connections from this machine to places that normally you wouldn't be able to get to, but we'll make it possible here.

 

And so in the Control Panel, and again, if your Control Panel doesn't look like mine. If you're following along on your machine. If you look in the upper right-hand corner, there's a choice to list by Category, Small icons, my preferred view, strictly opinion here, the Large icons, right? Which attest to my failing eyesight. [Video description begins] The Control Panel is open on the All Control Panel Items page. Options include Administrative Tools, Autoplay, and BitLocker Drive Encryption. The presenter expands the View by drop-down list and clicks through the options, before selecting Large icons. [Video description ends]

 

The Network and Sharing Center is where we configure the NIC cards. And so if I look in the Network and Sharing Center, I can see that I have at least three networks, this is a multi-homed machine, right? [Video description begins] He selects Network and Sharing Center and the associated page opens. It lists basic network information and allows for connections to be set up. He points to a list of Internet connections, which include a vEthernet (Corporate) connection and a vEthernet (HNS Internal NIC) connection. [Video description ends] It plugs into three different network segments and it does a bunch of things for me.

 

And so if I look over here on the left, in the navigation pane, I can return to the Control Panel. I can Change adapter settings or Change advanced sharing settings. [Video description begins] He points to the Control Panel Home, Change adapter settings, and Change advanced sharing settings links in the navigation pane. [Video description ends] Now what we're interested in here is taking a look at the adapter settings and what that configuration looks like. [Video description begins] He selects the Change adapter settings link. The Network Connections page opens. A list of connections displays. [Video description ends]

 

So I'm going to go into the adapter settings. And here I see the NICs and there's a bunch of these connections. One is labelled Internet, that must get me out to the Internet. One is labelled HNS, which is the Host Name Service, [Video description begins] He points to the Internet and vEthernet (HNS Internal NIC) connections. [Video description ends] which is a core component of the shielded VM solution in Microsoft today. Really a solid, rock solid, security solution. One of the best we've seen from Microsoft ever. There's the corporate network, my intranet. [Video description begins] He points to the Corp connection. [Video description ends] There's another Internet connection, and the Corp connection, another network segment on my Internet.

 

Now, if I take a look at the HNS Internal NIC, I can go to its Properties. [Video description begins] He right-clicks the vEthernet (HNS Internal NIC) connection and points to Properties in the shortcut menu. [Video description ends] Or better yet, let's open a Command Prompt. [Video description begins] He opens a command prompt window from the taskbar. [Video description ends] And in the Command Prompt, let's do an ipconfig, right? An ipconfig will give me the machine's current IP configuration. [Video description begins] He runs the command: ipconfig. A list of configuration information for the different NICs on his system displays in the output. [Video description ends] Not all the details of it, but kind of the broad strokes, the critical data.

 

So I can see, for example, that the corporate network uses a 10 address. [Video description begins] He points to the IPv4 address for the vEthernet (Corporate) connection in the output, which is 10.0.0.1. [Video description ends] Now guys, look, if you don't know IP addressing, there's a couple things you want to know right off the bat. Every IP address tells me two things, it tells me the network segment that I am on [Video description begins] He highlights the 10 in the 10.0.0.1 IPv4 address. [Video description ends] and then it gives me a unique identifier for a particular host on that network. [Video description begins] He highlights 0.0.1 in the 10.0.0.1 IPv4 address. [Video description ends] So an IP address is always a unique network and a unique host on that network.

 

Here again, and some of you that are familiar with TCP/IP, can identify a few things right off the bat, I would think, right? This, for example, the 10 address is a private network address. It's not routable on the Internet. [Video description begins] He highlights the 10.0.0.1 IPv4 address in the output. [Video description ends]

 

This up here, well, this just happens to be a live public Internet address. [Video description begins] He highlights the IPv4 address of 23.235.27.168 for the vEthernet (Internet) connection in the output. [Video description ends] Which means that this server is actually on the public Internet, it does a whole bunch of things for me. And, I have this unique network that it's on [Video description begins] He highlights 23.235.27.1 in the 23.235.27.168 IPv4 address. [Video description ends] and then this unique machine on that network. [Video description begins] He highlights 68 in the 23.235.27.168 IPv4 address. [Video description ends]

 

Up top here, the HNS Internal NIC has this IP address, which is what we're interested in. [Video description begins] He points to the IPv4 address of 172.24.32.1 for the vEthernet (HNS Internal NIC) connection in the output. [Video description ends] It's been misassigned. It's got the IP address from DHCP, and it should be statically assigned. And that IP address, that .1 that's a router address. I reserve all the .1s, everything under .10 for router addresses. [Video description begins] He highlights the 172.24.32.1 IPv4 address, opens the command prompt menu from the title bar, and selects Edit - Copy. [Video description ends] Server adresses start at .100 for me.

 

Right now you can come up with your own schemes. But that gives you some idea of how you can use these things and what kind of information you can glean about the network, just looking at this data. The 172.24 is a traditional Class B address, which is also in the private range. So, again, not routable on the Internet, used for internal IP addressing.

 

Okay, so now that we've identified what the problem is, this has been mistakenly assigned through DHCP. Well, we want to change that. So I'm going to come in here [Video description begins] He returns to the Network Connections page of the Control Panel. [Video description ends] and I'm going to, in the Network Connections folder, I'm going to right-click the NIC card that's of interest to me. [Video description begins] He right-clicks the vEthernet (HNS Internal NIC). [Video description ends]

 

And I'm going to go to Properties, [Video description begins] He selects Properties from the shortcut menu. A vEthernet (HNS Internal NIC) Properties dialog box opens. The Networking tab is selected. The type of connection and the items it uses displays. [Video description ends] and under Properties there is Internet Protocol Version 4 (TCP/IP). [Video description begins] He selects Internet Protocol Version 4 (TCP/IPv4) from the This connection uses the following items list. An Internet Protocol Version 4 (TCP/IPv4) Properties dialog box opens. The General tab is selected. Options to set IP and DNS server addresses either automatically or manually display. [Video description ends]

 

Currently configured to obtain IP addressing information automatically, [Video description begins] He points to the Obtain an IP address automatically radio button, which is selected. [Video description ends] I'm going to say no. [Video description begins] He selects the Use the following IP address radio button, then right-clicks in the IP address field and selects Paste from the shortcut menu. The IP address, 172.24.32.1, displays. [Video description ends] You must obtain that IP address manually. [Video description begins] He adds a subnet mask of 255.255.240.0. [Video description ends] And remember we said the default gateway, that is the path off the local network segment. It should always be a .1 in my place [Video description begins] He adds a default gateway of 172.24.32.1. [Video description ends] and my servers start counting at 100.

 

So I'm going to go ahead and give this server that unique IP address. [Video description begins] He changes the IP address from 172.24.32.1 to 172.24.32.100. [Video description ends] Specify that the default gateway, the pathway off this network segment, is at that address. [Video description begins] He points to the default gateway address of 172.24.32.1. [Video description ends] And I could manually assign the DNS servers or I could let the machine keep getting that configuration data from DHCP, that's what works, right? [Video description begins] He points to the Obtain DNS server address automatically radio button, which is cleared. [Video description ends]

 

Down here, there's the Advanced choice, [Video description begins] He clicks Advanced. The Advanced TCP/IP Settings dialog box opens. The IP Settings tab is selected. There are options to add, edit, or remove the IP address and default gateway. [Video description ends] and here I could assign an alternate IP address. [Video description begins] He clicks the Add button associated with the IP address list. A TCP/IP Address dialog box opens. [Video description ends]

 

Suppose this happens again, right? I have some enthusiastic junior admin that's going around assigning these addresses haphazardly. And he assigns the .100 address, and I get an IP conflict and my server goes down. Well, I don't want that to happen, right? So I'm going to assign an alternate IP address, [Video description begins] He adds the IP address, 172.24.32.101 with a subnet mask of 255.255.240.0. [Video description ends] and normally I would make it probably a little different from the one that I just assigned. But an alternate IP address so that if that address should suddenly become unavailable and I get an IP address conflict, it can use this fail over address if you will.

 

How does this machine know which parts of the IP address are the network and which parts are the host? From the subnet mask, [Video description begins] He highlights the subnet mask of 255.255.240.0. [Video description ends] everywhere there's a 255, that's network address, network address, network address, [Video description begins] He highlights the 172 and 24 from the IP address of 172.24.32.101. [Video description ends] and then this gets a little tricky, this is part of the network address. [Video description begins] He highlights the 32 from the IP address of 172.24.32.101. [Video description ends] But you can be sure this is a unique host on that network. [Video description begins] He highlights the 101 from the IP address of 172.24.32.101. [Video description ends]

 

Go ahead and add that. [Video description begins] He clicks Add. The TCP/IP Address dialog box closes. The additional IP address subnet mask displays in the Advanced TCP/IP Settings dialog box. [Video description ends] And over here I can sign additional DNS servers here. [Video description begins] He selects the DNS tab. There are options to add DNS servers, as well as append DNS suffixes. [Video description ends]

 

And there is a feature of Ethernet that we used to talk a lot about, but we don't talk about anymore because connection speeds have gotten so good. [Video description begins] He clicks Cancel on each of the open dialog boxes until he returns to the Network Connections page of the Control Panel. [Video description ends] But at one time, we had half duplex and full duplex options. And what that meant was that if I expected, and remember this is for ten megabits per second and slower networks, right? What I expected was that on this network, each one will want to talk to each other as much as it wants to talk to them. And in those kinds of scenarios, what you might do as a kind of early primitive quality of service bandwidth control, you might enforce half duplexing. Which would mean each NIC card could use only 50% of its downstream or upstream talk time, of its bandwidth. And in that way, you could get some control over what was happening on the network.

 

Now we have much better ways of doing this today. Full duplex means the NIC card can use 100% of the bandwidth going out and/or 100% of the bandwidth coming in at any given time, 100%. Half duplex, half all the time.

 

Let's talk a little bit about networks, network architecture, and then the nature of network connections.

 

[Video description begins] A diagram of a typical home network displays. Two desktop PCs are connected to the Internet via a modem and router. The router acts as the default gateway. Other devices, such as gaming consoles and tablets or smartphones, connect to the router via Wi-Fi. An additional device, a laptop, connects directly to the Internet using it's own internal networking hardware. [Video description ends]

 

And the simplest kind of network that we think about is where we plug in to the local network. And a good example of that could be the home network. And so in my home, I have a cable modem, commonly provided by my ISP, that modem connects to a router, and the router is the default gateway. And we all know that the default gateway is the way that I get off my local network and onto another network, right? So I have network segments in my house commonly today too, they'll be the wired network if I support wired connections to that router. And then they'll be the Wi-Fi network. And we can see here in this example, from the router there are two wired computers. And then I see to the wireless gaming console, the phone, right? Connected to the Wi-Fi.

 

And there's an important distinction to make there. That the wireless segment is a separate network segment, so it will have its own set of IP addresses. As opposed to the wired network inside my house. And so, inside the house, there are two network segments, the router can communicate between them and it can also pass traffic out to the public Internet. And this is a simple kind of network design that gets the basics across. But it's rare that this is what our business looks like, right?

 

Our business is going to tend to look something more like this. [Video description begins] A diagram of a typical corporate network displays. It's divided into three sections: external, perimeter, and intranet. [Video description ends] There's the internal network with my desktop clients, mobile clients, servers, the authentication and infrastructure, and management servers, the application servers, and the file servers, right? Everything inside the network. [Video description begins] The presenter points to the intranet section of the diagram, which includes desktop and mobile clients, file and storage servers, communication servers, and infrastructure and management servers, which consist of DNS servers and domain controllers. There are are also application servers for e-mail, web, and databases, which consist of DB, Web, and SharePoint servers. [Video description ends]

 

Then there is the perimeter network, my DMZ, [Video description begins] Perimeter components consist of application servers for things like e-mail and web access; VPN access servers; proxy servers; and security elements such as IDS and firewalls. [Video description ends] where the services that I provide out to the world wide web are located. And where incoming remote client connections come in through, as well as maybe leased lines to a branch office or other locations. Or they're the terminal endpoints for tunnels, for encrypted tunnels to those branch offices and other business partners out there. Or to our cloud services and other locations on the Internet. [Video description begins] He points to the external section of the diagram, which consists of the Internet and cloud services, such as Azure and Amazon, as well as branch offices and various business partners. [Video description ends]

 

This is a far more complex kind of design, and we understand that there are firewalls between the perimeter network and the Internet, between the external network, outside world, and my internal network. And then on the other end of those connections there is going to be firewalls there too and this configuration supports a wide variety of network connects. And so, for example, the desktop clients might be hard-wired into the network along with all those servers. While mobile clients come in, and they just hop on the Wi-Fi. Additionally, I have remote access clients that dial-in to my remote access servers out in the DMZ or that VPN in to those access servers. [Video description begins] He points to the perimeter section of the diagram. [Video description ends] And so, we want to talk a little bit about the nature of these network connections.

 

[Video description begins] A table displays, listing access type, data encryption, speed, and protocol information for different networks. VPN connections are remote access networks, always use data encryption, have good speeds, and use authentication, encryption hash algorithms, and network protocols. Dial-up networks use remote access, have optional data encryption, are slow, and only use authentication protocols. Wireless networks are local access (intranet) networks, are always encrypted, have good speeds, and use authentication, encryption hash algorithms, and network protocols. WWAN networks use remote access, are always encrypted, have good to fast speeds, but are costly, and use third party protocols. Wired networks use local access (intranet), have optional encryption, offer fast speeds, and use authentication and network protocols. [Video description ends]

 

And if I take a look here at this chart and these can all be configured in the Network and Sharing Center. There's the common kinds of connections, right, VPN, dial-up, wireless, WWAN, and wired. And I would encourage you when you think about any network connection, or any client connection, whether it's a VPN client or a hard-wired client, the way that they connect to the network is really a collection of protocols. And if I look, the far-right-hand column here has the protocols that are critical to each of these connection types. And to get on your local network, you got to be running the network communication protocol, TCP/IP. Plus, you have to be able to authenticate, right? Nobody gets on your network if they can't prove who they are. And so the authentication and network protocols and configuration are going to be important to me there.

 

In a VPN or wireless scenario, it's a whole protocol parfait. The authentication protocols, the encryption protocols, the hash algorithms, as well as the IP configuration. And where does that IP configuration come from? Is the machine statically assigned these addresses or is it a DHCP client, or BOOTP client?

 

The critical thing here, the big takeaway here I would argue, is the question of data encryption. Because data encryption is expensive, right? It hits me in the processor, it'll slow throughput, it'll slow communication. And so I want to use it where there's a concern about data exposure. And that doesn't tend to be on my local internal wired network, right? It doesn't really even apply to dial-up connections because dial-up connections are point-to-point. Somebody would have to have a vampire tap in the copper and actually be tapping your phones to pull any of that data out.

 

Now, for WWAN connectivity, VPN, and wireless, the recommendation is that these are always encrypted to secure that traffic, because any of that traffic can be snooped. It's almost certainly going to be running over somebody else's wires or somebody else's devices before it gets back to a device of yours. That's certainly true in the case of VPN and WWAN traffic.

 

Now where we will begin is in the Control Panel system applet. And so I have that opened here. From the Control Panel, I open System and Security, and then System. [Video description begins] The System page of the Control Panel displays. It provides basic information about the presenter's PC, such as the processor type and amount of installed RAM. [Video description ends] And down in the middle of the page, I see Computer name, domain, and workgroup settings. And there's a choice over here on the right to change those settings. [Video description begins] The presenter points to the Change settings link associated with the Computer name, domain, and workgroup settings section. [Video description ends]

 

Now if you look here, there's a disjoint. Currently the machine is part of a domain, Earthfarm.com. But look at what the fully qualified domain name of the machine is. Now why is that? Well, this server had been in the UnitoGames.com domain and I moved it, I joined it to the EarthFarm.com domain. And this did not get updated. [Video description begins] He points to the Full computer name. [Video description ends]

 

So the first thing that I want to do is I want to correct that. And so on the right I'll hit Change settings. [Video description begins] A System Properties dialog box opens. The Computer Name tab is selected. There is an option to add a description. The current Full computer name and Domain are listed. [Video description ends] And the System Properties, the traditional System Properties dialog box opens. To rename this computer or change its domain or workgroup, click Change. And this is on that first tab, the Computer tab of System Properties, there's the one button, Change, I hit that. [Video description begins] The Computer Name/Domain Changes dialog box opens. It has options to change the name of the computer and assign it to a domain or workgroup. [Video description ends]

 

Now I can see the computer name, [Video description begins] He highlights the name in the Computer name text box, which is srv01. [Video description ends] and I see that it's a member of the domain EarthFarm. [Video description begins] The Domain radio button is selected in the Member of section. The associated text box displays the name EarthFarm.com. [Video description ends] And what that means is that it shares a security context with all the other EarthFarm machines. There's a central authentication and authorization service that runs on the domain controllers for the EarthFarm.com domain. And when this machine boots up, it will connect to those domain controllers, it will requests its group policy, process that group policy against itself, and share the security context of the EarthFarm.com domain.

 

Now there's another choice here, Workgroup. [Video description begins] He selects the Workgroup radio button. [Video description ends] And if I were to move this machine into a workgroup, and I always use the W workgroup for no reason other than W is for workgroup. [Video description begins] He types "W" in the text box associated with the Workgroup radio button. [Video description ends] If the machine's in a workgroup, there's no central or shared security context. It stands on its own, it's isolated. Instead of your user account being in the Active Directory database on the domain controller so you can go to any machine in the place and login, your account now lives only on that one machine, completely isolated from all the others. And there it's in the SAM file database.

 

In a work environment, [Video description begins] He selects the Domain radio button. [Video description ends] I'll tell you, I've been doing this now for an awfully long time. And I've never walked into a business where there wasn't an Active Directory domain. Not since 2000, before 2000 I have not. And so in terms of ensuring your own employability, knowing Active Directory inside out, is it's an awfully valuable tool set to have. And anybody that's going to manage Windows machine should know Active Directory. And the beginning of understanding that, in the domain there's a central database that exist only on the domain controllers, that's where my user account is. In a workgroup, every machine is unique with a SAM file database of local users and computers.

 

Now our concern here is this computer name that's left over from the last domain join. [Video description begins] He highlights the full computer name which displays below the Computer name text box. [Video description ends] Well, if I click the More button, [Video description begins] A DNS Suffix and NetBIOS Computer Name dialog box opens. There are options to set the primary DNS suffix and NetBIOS computer name for the PC. [Video description ends] I can specify the primary DNS suffix for this computer.

 

Now you may say to yourself, well, Murph, if I've got a domain shouldn't it always be the domain? Well, you could have more than one domain, right? You can have an Active Directory forest with lots of domains. And then sometimes you want to adjust that search order for single label name look-ups. That is to say, if you have a SRV01, like we do here, in the EarthFarm.com domain, I could also have a SRV01 in the UnitoGames.com domain. And then I want to say, which one are you really looking for? [Video description begins] He types "EarthFarm.com" in the Primary DNS suffix of this computer Name text box. [Video description ends] And then I could adjust the search order based on the primary DNS suffix. And so I'll say OK. [Video description begins] He clicks OK and returns to the Computer Name/Domain Changes dialog box. [Video description ends]

 

Now that will change the computer name for us. And we've identified the principal distinctions between the domain and workgroup. The workgroup, really, environments less than ten machines because if you've only got client machines, they can accept a maximum of ten concurrent connections at a time.

 

And now here we are on the domain controller for EarthFarm.com. [Video description begins] He switches to a virtual machine with an IP address of 23.235.27.168. A Windows 10 desktop displays. [Video description ends] And I can see the IP address for this machine up there also, public IP.

 

Now guys, I'm going to leave that in there, that little bit of troubleshooting. Because you'll notice what I did, as soon as I had the problem, and it couldn't get to a domain controller, it couldn't contact the domain controller, I knew immediately it was a DNS look-up issue. I checked the IP configuration, I see the problem immediately. You want to be able to do that too.

 

The last thing in here is homegroup. Homegroup was great in Windows 7 for your home network environments. Let's you share media and such across any device in the place. It's been deprecated. It does not exist anymore. And so there's no more homegroups. So when do you use homegroup in Windows 10? You don't.

 

Well, actually, just off the record, because this is not a supported solution, out on the Internet, there is a third-party solution for porting homegroup functionality to Windows 10, if you're big on it. But be aware, it's not a supported solution. But anybody that's interested in homegroup would want to know that.

 

And when we think about shares, a share is just a folder that is accessible from across the network. And traditionally if that share was on a client machine, like a Windows 7 machine, Windows XP machine, whatever, you could have as many as ten concurrent connections.

 

A server, if you're running a Windows Server operating system, has an unlimited number of connections, right? You just got to scale the hardware to meet the demand. And so that's one of the inflection points, right? If I have ten computers or more than ten computers, I'm going to want to have a server, generally, in most places.

 

Now what's interesting is something called administrative shares. And essentially, the drives, that is the root drive where the Windows operating system is installed, commonly C. And then additional partitions, logical partitions on that drive, D drive for data or other additional installed drives, are shared out secretly. They're shared secretly as administrative shares.

 

Now, what do we mean by that? Well, if you take a look here on the page, I have a Run dialog box open. [Video description begins] A Run dialog box is open on a Windows desktop. [Video description ends] And in that Run dialog box, I've typed the name of a server, this is a UNC path name convention, right? So it's \\ server name \ share name. [Video description begins] He points to the name in the Open text box, which is \\TARDIS2\C$. [Video description ends] And in the example here, I'm connecting to C$. And what that $ means is that this is a hidden share. When users look for lists of shares, they don't ever see this. You just know it's there because you're an administrator. And with administrative rights, I can connect to that share.

 

And so when I think about my needs as a network admin and the need to administer servers on the network, [Video description begins] He clicks OK. A File Explorer window opens to display the folders on \\TARDIS2\C$. [Video description ends] I think about these hidden shares because this means I'm right there, I'm on this machine now, right? I can go into the Windows directory, I can browse this, I could copy files in here, [Video description begins] He opens the Windows folder and points to the various subfolders. [Video description ends] I could take files out of here, [Video description begins] He points to the Seagate Expansion Drive (E:) in the This PC section of the navigation pane. [Video description ends] edit files, whatever I need to do, right?

 

Pretty much, there are a few exceptions to that rule. [Video description begins] He clicks the back arrow on the navigation bar to return to the root directory. [Video description ends] Well, for example, right? If we take a look, there's a folder here called Share, and that is my Share out there on the network. And if I look at the properties of this Share, [Video description begins] He right-clicks the Share folder and selects Properties from the shortcut menu. The Share Properties dialog box opens. The General tab is selected. Information such as the type of file and its location, displays. [Video description ends] you'll notice that there's no sharing tab. [Video description begins] The available tabs in the dialog box are for General, Security, Previous Versions, and Customize. [Video description ends] And that's because I'm remoted into this administrative share. So not all functions are available across the network like this. [Video description begins] He clicks OK to close the dialog box and returns to the File Explorer window. [Video description ends]

 

But what we can do is I could RDP into this server, and then that's the same as sitting on the server. And so and point of fact, I have an RDP connection open, I'm going to bring that up. [Video description begins] He opens a remote desktop connection from the taskbar. File Explorer is open and folders on the Local Disk display. [Video description ends] And now you know you're not looking at my desktop anymore because if you look up top here, there is the IP address of the machine that I'm connected to. [Video description begins] He points to the IP address, which is 23.235.27.168 in this case. [Video description ends] And so what we're looking at now is the Windows Explorer window on that remote file server.

 

Now if I access the properties of the share, [Video description begins] He right-clicks the Share folder and selects Properties from the shortcut menu. The Share Properties dialog box opens on the General tab. [Video description ends] I can see that in fact, there's the Sharing tab, right? [Video description begins] He clicks the Sharing tab. Options to set network file and folder sharing display. The folder is currently shared. [Video description ends]

 

And if I come in here, well, let's do it from the beginning. Let's create one of our own. [Video description begins] He clicks Cancel to return to File Explorer. [Video description ends] And so I'll say New - Folder, and we'll call this share example. [Video description begins] He right-clicks an empty area in File Explorer and selects New - Folder from the shortcut menu. A New Folder displays with its name selected. He renames the folder share example. [Video description ends]

 

And when the folder is created, if I right-click it and say, Properties, [Video description begins] He selects Properties from the shortcut menu. The share example Properties dialog box opens with the General tab selected. [Video description ends] there's a choice here for Sharing. [Video description begins] He clicks the Sharing tab. The folder is not shared at this stage. [Video description ends]

 

Now there is a simplified Share interface here and that you can use certainly. [Video description begins] He clicks Share in the Network File and Folder Sharing section. A File Sharing dialog box opens, with options to select the people on the network to share the folder with. [Video description ends] It gives you some basic choices. But I'd like to look at the Advanced Sharing choice. [Video description begins] He clicks Cancel to return to the share example Properties dialog box. He clicks Advanced Sharing in the Advanced Sharing section. An Advanced Sharing dialog box opens. Sharing options display. [Video description ends]

 

And so I come in to Advanced Sharing, I'll say, Share this folder. [Video description begins] He selects the Share this folder checkbox. Additional settings become available. [Video description ends] How do I want to share it? What name do I want to give it? Well, I can share with that name or maybe the function of this will be for the finance group. And so I can give it a different share name than the name the folder actually has. And in fact, I can give it a number of these names, so that if I want to share it between different people. [Video description begins] He changes the name in the Share name text box from share example to Finance. [Video description ends]

 

You'll notice that I can limit the number of simultaneous users, right? Although I don't have any particular need to do that. [Video description begins] He points to the Limit the number of simultaneous users to spin box. It's set to 77216. [Video description ends] And then down here is this Permissions choice. [Video description begins] He clicks the Permissions button. The Permissions for Finance dialog box opens. It includes options to allow or deny full control, change, and read permissions. [Video description ends] And if I look at the permissions, the permissions are simplified, the share permissions. [Video description begins] In the Permissions for Everyone section, he selects the Allow checkbox for Full Control. The Allow checkboxes for Change and Read permissions are automatically selected. [Video description ends] Full Control, Change, or Read. Read lets users see what's in the folder. Change lets users add to what's in the folder. And then Full Control let's them do anything they want including specify permissions.

 

Now I'm going to set the Share Permissions here to Full Control for the Everyone group. [Video description begins] He points to Everyone listed in the Group or user names section. [Video description ends] And the reason that I'm going to do that is because I can lock the folder down with the NTFS permissions. And this is an important point. This is an important takeaway here. [Video description begins] He clicks OK to close the Permissions for Finance dialog box. He closes the remaining dialog boxes and returns to File Explorer. [Video description ends]

 

If I come back in here to Security, [Video description begins] He right-clicks the share example folder and selects Properties from the shortcut menu. The share example Properties dialog box opens on the General tab. He clicks the Security tab. [Video description ends] here are the NTFS permissions. Well, if I want to lock this thing down, if I don't give you permission in here, you can't access this directory. And so the default permissions are what's inherited from parent partition. And I see that the Users group for the domain has only by default, Read access. [Video description begins] He selects Users (EARTHFARM\Users) from the Group or user names list. In the Permissions for Users list, only Read & execute, List folder contents, and Read permissions are checked off. [Video description ends]

 

So when any standard user account accesses this share, even though we gave the share permission as full control, their effective permission is Read. And the reason for that is because when more than one permission set applies, it's the most restrictive that wins. So when I combine permission types, Share and NTFS for example, it's the most restrictive permission that wins. And if I gave them full control in NTFS but only read on the share, what would their effective permissions be? Read, the most restrictive.

 

Now the last thing I just want to mention here. There's also, in settings, there's the printers and scanners choice. [Video description begins] He opens Settings from the taskbar. Printer & scanners is selected from the navigation pane. [Video description ends] And this is where I could add a printer, [Video description begins] He points to the Add a printer or scanner option. [Video description ends] I could share out a network printer.

 

If I look at anyone of these printers, I can Manage the printer. [Video description begins] He selects one of the printers in the Printers & scanners section. Three buttons display: Open queue, Manage, and Remove device. He clicks Manage. The Manage your device page for the selected printer opens. [Video description ends] And here I could Print a test page, Run the troubleshooter, see the properties, or open the queue. So that if I had print jobs in there that were stuck, I could end those jobs. [Video description begins] He points to the links in the navigation pane and the Open print queue button. [Video description ends]

 

Well, commonly what we do is we have a proxy server, and the proxy server is a caching server, right? It'll cache information about Internet requests, common requests, so that it can deliver them fast to the clients. It acts as a firewall to protect your network from the outside world, that's the function of a proxy server, and very common, right?

 

If we take a look, here I am in the Settings applet from the Windows 10 console, [Video description begins] The Windows Settings page displays. Options include System, Devices, and Phone. There is also a search bar available to find a particular setting. [Video description ends] and there's the Network & Internet choice. And if I select Network & Internet and look in the left-hand navigation pane. The very last choice, all the way here at the bottom is Proxy. [Video description begins] The Network & Internet section opens with the Status page selected from the navigation pane. Other options include Ethernet, Dial-up, and VPN. The presenter points to the last option, which is Proxy. [Video description ends]

 

And if I hit Proxy, [Video description begins] The Proxy page opens. Automatic and manual proxy setup options display. [Video description ends] I can see that currently I am configured to Automatically detect settings. [Video description begins] He points to the Automatically detect settings toggle in the Automatic proxy setup section, which is set to On. [Video description ends] And commonly, this would be enough, but of course we all know that automatic doesn't always work.

 

And so if I have a need to do manual configuration of the proxy server settings on the client, I can go ahead and I can write a setup script. And then I can specify the script address here where it'd go to get the script. [Video description begins] He toggles Use setup script to On and points to the Script address text box that becomes available. He then toggles Use setup script back to Off. [Video description ends]

 

Or I can just do manual proxy server configuration here, specify the IP address. [Video description begins] In the Manual proxy setup section, he toggles Use a proxy server to On. He points to the Address text box. [Video description ends] And it's worth mentioning the default port that the proxy server uses is 8080. [Video description begins] He types "8080" in the Port text box. [Video description ends] Which is the alternate HTTP port and is unused by anything else, and so that's common.

 

Down here, I can make exceptions to the proxy rule so that if there's a list of websites, say internal cloud services that are out on the web. I can specify the proxy server except for the addresses that start with the following entries, and then I can list those in there. [Video description begins] He points to the following text box: Use the proxy server except for addresses that start with the following entries. Use semicolons (;) to separate entries. [Video description ends]

 

And down here, there's the choice, Don't use the proxy server for local addresses. If you're communicating on the intranet, there's no reason to go through the proxy server, so we can skip that. [Video description begins] He points to the Don't use the proxy server for local (intranet) addresses checkbox, which is not currently selected. [Video description ends] And that's the proxy server setup on a Windows 10 client today.

 

Now, when we think about remote connections, we also think about clients coming in. And there are a couple of things that I want to look at here. [Video description begins] He closes the Settings window. The Control Panel - All Control Panel Items - System page displays. Basic information about his PC is listed, such as the edition of Windows it's running, as well as how much memory is installed. [Video description ends] And the first is RDP connections and then remote assistance. And RDP, or the remote desktop protocol, would let me come into my machine when I'm not in the office. And how might that work or what would that look like?

 

Well, the very first thing is in the System applet, so I'm in the Control Panel, System applet. There is a choice for Advanced settings or there is actually a choice today for Remote settings which gets me to the same place, basically. [Video description begins] He points to the Advanced system settings and Remote settings links in the navigation pane. [Video description ends]

 

If I click on Remote settings, that opens this dialog box. [Video description begins] The System Properties dialog box opens. The Remote tab is selected. There are sections for Remote Assistance and Remote Desktop. [Video description ends] And the first thing that I need to do is Allow Remote Assistance connections to this computer. [Video description begins] He selects the Allow Remote Assistance connections to this computer checkbox in the Remote Assistance section. [Video description ends] And once I've allowed those Remote Assistance connections to this computer, I can then initiate remote assistance requests.

 

So, for example, right, let's take a look down here. [Video description begins] He points to the Remote Desktop section. [Video description ends] And if I look at the Advanced, if I click on Advanced there, [Video description begins] He clicks Advanced in the Remote Assistance section. The Remote Assistance Settings dialog box opens. It has sections for Remote control and Invitations. [Video description ends] am I allowing this computer to be controlled remotely? [Video description begins] He points to the Allow the computer to be controlled remotely checkbox in the Remote control section, which is selected. [Video description ends] If I were to request assistance from somebody with a problem that I was having and they were to come in. Would they have control of my desktop or would they have to tell me what to do, and I can specify that.

 

Then the maximum amount of time that invitations can remain open. [Video description begins] He points to the Set the maximum amount of time invitations can remain open options in the Invitations section. There are two drop-down lists, one set to 6, the other to Hours. [Video description ends] So how the remote assistance process works, is I issue an invitation and then you can come in and look at my computer.

 

I can specify down here that I want to support invitations that can only be used from computers running Windows Vista or later. [Video description begins] He selects the following checkbox: Create invitations that can only be used from computers running Windows Vista or later. [Video description ends] Because I want to support NLA, which is network level authentication. [Video description begins] He clicks OK and returns to the System Properties dialog box. [Video description ends] And commonly today, that's what you would want, that's going to give me the most secure scenario for these remote connections. Allow connections only from computers running NLA, that's exactly what I would want. [Video description begins] He selects the Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended) checkbox in the Remote Desktop section. [Video description ends]

 

Now how this might work, if I just do a search for remote assistance, [Video description begins] He clicks OK to close the dialog box, then opens Cortana and types "remote ass" in the search bar. [Video description ends] I get this choice, Invite someone to connect to your PC and help you. [Video description begins] He selects the option from the search results. A Windows Remote Assistance dialog box opens on the Do you want to ask for or offer help page. There are options to either get help from another user, or help someone who has requested assistance. [Video description ends] Do I want to ask for help? Yes, I do.

 

Invite someone I trust or if I've got an invitation from somebody, help someone who has invited me. [Video description begins] He points to the Invite someone you trust to help you and Help someone who has invited you options. [Video description ends] Well, I'm going to say, invite someone. [Video description begins] He selects Invite someone you trust to help you. The How do you want to invite your trusted helper page opens. Available options include saving the invitation or sending it via email. [Video description ends]

 

Now, do I save this invitation as a file? Do I use email to send the invitation? [Video description begins] He points to the Save this invitation as a file, Use email to send an invitation, and Use Easy Connect options. [Video description ends] Or do I use Easy Connect? Now Easy Connect is grayed out here, and it's grayed out because this machine is part of a domain, and that's generally the reason why.

 

Now you may say, why would being in a domain prevent these remote assistance connections using Easy Connect? There's a couple of reasons, the peer name resolution protocol may not be running or I might not have Teredo, or Teredo configured properly. Teredo's a IPv4 to 6 transition technology.

 

For our purposes, I'll save the invitation as a file, [Video description begins] He selects Save this invitation as a file. A Save As dialog box opens. The contents of the Documents folder on This PC displays. The file name for the invitation is Invitation.msrcIncident. He clicks Save to close the dialog box. [Video description ends] and then what I would do is I would email that to somebody else. And they would then have this information, which would let them connect to my machine. [Video description begins] He opens a Windows Remote Assistance window, which displays a password to allow the helper to access the invitation file. [Video description ends]

 

Finally, there's RDP. [Video description begins] He opens Cortana and types "rdp" in the search bar. A Remote Desktop Connection window opens. An IP address and user name for a remote system displays. [Video description ends] And RDP lets me connect to a machine without the invitation. [Video description begins] He selects Show Options. A range of tabs and additional options display. The General tab is selected. Other tabs include Display, Local Resources, and Experience. [Video description ends]

 

Any machine that is set up for RDP access, I can specify the computer, [Video description begins] He points to the Computer drop-down list, which displays the IP address of the remote system. [Video description ends] then the credentials required to connect to that machine. [Video description begins] He highlights the information in the User name text box, which is earthfarm\administrator in this case. [Video description ends]

 

And then on these remaining tabs, I can set some display settings. What should the screen resolution maybe be, [Video description begins] He clicks the Display tab and sets the Display configuration slider to 1280 by 720 pixels. [Video description ends] what color quality, [Video description begins] He points to the Choose the color depth of the remote session drop-down list, which is set to Highest Quality (32 bit). [Video description ends] what happens when music gets played? [Video description begins] He clicks the Local Resources tab, then clicks Settings in the Remote audio section. A Remote Desktop Connection dialog box with remote audio playback and recording options displays. [Video description ends]

 

Well, if it's played on the remote machine, do I want it to play on this computer? [Video description begins] He points to the Play on this computer radio button in the Remote audio playback section, which is selected. There are also radio buttons for Do not play and Play on remote computer. [Video description ends] What about recording? Do I record this computer or do I not record? [Video description begins] He points to the radio buttons in the Remote audio recording section. Do not record is selected. He clicks Cancel to close the dialog box. [Video description ends]

 

In this section, we want to talk about some best practices. And the key takeaway here for all of these is going to be automate and validate.

 

So for my backups, what I want to do is I want to schedule automatic backups. But it's not good enough to just schedule them. It must be part of somebody's job to validate that the backup tasks are working. They've got to be performing test restores. If you're not doing that, I guarantee you, the day that you need those backups, you're going to find out that they're no good.